No 'default' match condiftion doesn't allow to enforce a strict default release policy

[guillomovitch]

According to my understanding, this module only allow to restricts the list of allowed attributes for some categories, not the reverse (extend the list of allowed attributes for them).

The following configuration allows services belonging to R&S category, or complying with eduGain Code of conduct to require eduPersonPrincipalName attribute:

50 => array(
  'class' => 'entitycategories:EntityCategory',
  'http://www.geant.net/uri/dataprotection-code-of-conduct/v1' => array(
    'eduPersonPrincipalName',
  ),
  'http://refeds.org/category/research-and-scholarship' => array(
    'eduPersonPrincipalName',
  ),
),

51 => array(
  'class'   => 'core:AttributeLimit',
  'default' => true,
)

However, as the module design requires to have AttributeLimit configured to allow any kind of attributes list overrides through metadata, I'm actually enforcing constraints only for services matching the categories specified in previous step, not for others. There seems to be no way to deny other services access to this attribute, if present in metadata.

[jaimeperez]

Hi @guillomovitch!

Would your scenario be covered by the latest addition to the module (check the readme)?